- A remote code bug in SharePoint lets hackers hijack systems without even logging in
- Storm-2603 is exploiting unpatched servers using chained bugs to gain long-term access undetected
- ToolShell scored a perfect 10 on Bitsight’s risk scale, triggering immediate federal concern
A critical flaw in on-premises Microsoft SharePoint Servers has escalated into a wider cybersecurity crisis, as attackers move from espionage to extortion.
The campaign, initially traced to a vulnerability that allowed stealthy access, is now distributing ransomware, a development that adds an alarming layer of disruption to what was previously understood as a data-focused intrusion.
Microsoft has linked this pivot to a threat actor it refers to as “Storm-2603,” and victims whose systems have been locked out must pay a ransom, typically in cryptocurrency.
From silent access to full-blown extortion
At the heart of the compromise are two severe vulnerabilities, which are CVE-2025-53770, dubbed “ToolShell,” and its variant CVE-2025-53771.
These flaws allow unauthenticated remote code execution, giving attackers control over unpatched systems simply by sending a crafted request.
The absence of login requirements makes these exploits particularly dangerous for organizations that have delayed applying security updates.
Experts from Bitsight claim CVE-2025-53770 scores the maximum 10 on its Dynamic Vulnerability Exploit (DVE) scale, highlighting the urgency of remediation.
Security firms have noted a sharp uptick in attacks. Eye Security, which first reported signs of compromise, estimated 400 confirmed victims, up from 100 over the weekend, and warned the actual number is likely far higher.
“There are many more, because not all attack vectors have left artifacts that we could scan for,” said Vaisha Bernard, chief hacker for Eye Security.
US government agencies, including the NIH and reportedly the Department of Homeland Security (DHS), have also been affected.
In response, CISA, DHS’s cyberdefense arm, has added CVE-2025-53770 to its Known Exploited Vulnerabilities list, mandating immediate action across federal systems once patches are released.
One strain in circulation is said to be the “Warlock” ransomware, distributed freely within compromised environments.
The pattern of chained exploits, combining the newer CVEs with older ones like CVE-2025-49704, points to a deeper structural issue in the security of on-premises SharePoint instances.
Attackers have reportedly managed to bypass multi-factor authentication, steal machine keys, and maintain persistent access across affected networks.
While SharePoint Online in Microsoft 365 remains unaffected, the impact on traditional server deployments has been widespread.
Researchers estimate over 75 to 85 servers globally have already been compromised, with affected sectors spanning government, finance, healthcare, education, telecom, and energy.
Globally, up to 9,000 exposed services remain at risk if left unpatched.
Organizations are strongly urged to install the latest updates, KB5002768 for Subscription Edition, KB5002754 for SharePoint 2019, and KB5002760 for SharePoint 2016.
Microsoft also recommends rotating MachineKey values post-patching and enabling AMSI (Antimalware Scan Interface) integration with Defender Antivirus.
Additional guidance includes scanning for signs of compromise, such as the presence of spinstall0.aspx web shells, and monitoring logs for unusual lateral movement.
Also, some organizations are now exploring ZTNA and Business VPN models to isolate critical systems and segment access.
However, these measures are only effective if combined with strong endpoint protection and timely patch management.
Via Reuters
